From 00a0ac78856eda1da43e68b58952f2c9f12dd561 Mon Sep 17 00:00:00 2001
From: Nate Maninger <me@n8m.us>
Date: Sat, 30 Dec 2023 12:05:45 -0800
Subject: [PATCH] settings: validate netaddress when updating settings

---
 host/settings/netaddress_default.go | 32 +++++++++++++++++------------
 host/settings/settings.go           |  7 +++++++
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/host/settings/netaddress_default.go b/host/settings/netaddress_default.go
index 1061bf2..72d6c51 100644
--- a/host/settings/netaddress_default.go
+++ b/host/settings/netaddress_default.go
@@ -6,31 +6,37 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"strconv"
 )
 
 func validateNetAddress(netaddress string) error {
-	addr, _, err := net.SplitHostPort(netaddress)
+	host, port, err := net.SplitHostPort(netaddress)
 	if err != nil {
-		return fmt.Errorf("invalid net address %q: net addresses must contain an IP and port: %w", netaddress, err)
-	} else if addr == "" {
+		return fmt.Errorf("invalid net address %q: net addresses must contain a host and port: %w", netaddress, err)
+	}
+
+	// Check that the host is not empty or localhost.
+	if host == "" {
 		return errors.New("empty net address")
-	} else if addr == "localhost" {
+	} else if host == "localhost" {
 		return errors.New("net address cannot be localhost")
 	}
 
-	ip := net.ParseIP(addr)
+	// Check that the port is a valid number.
+	n, err := strconv.Atoi(port)
+	if err != nil {
+		return fmt.Errorf("failed to parse port: %w", err)
+	} else if n < 1 || n > 65535 {
+		return errors.New("port must be between 1 and 65535")
+	}
+
+	// If the host is an IP address, check that it is a public IP address.
+	ip := net.ParseIP(host)
 	if ip != nil {
 		if ip.IsLoopback() || ip.IsPrivate() || !ip.IsGlobalUnicast() {
-			return fmt.Errorf("invalid net address %q: only public IP addresses allowed", addr)
+			return fmt.Errorf("invalid net address %q: only public IP addresses allowed", host)
 		}
 		return nil
 	}
-
-	addrs, err := net.LookupIP(addr)
-	if err != nil {
-		return fmt.Errorf("failed to resolve net address %q: %w", addr, err)
-	} else if len(addrs) == 0 {
-		return fmt.Errorf("failed to resolve net address: no addresses found")
-	}
 	return nil
 }
diff --git a/host/settings/settings.go b/host/settings/settings.go
index 262de8f..7b6976e 100644
--- a/host/settings/settings.go
+++ b/host/settings/settings.go
@@ -220,6 +220,13 @@ func (m *ConfigManager) UpdateSettings(s Settings) error {
 		return fmt.Errorf("failed to validate DNS settings: %w", err)
 	}
 
+	// if a netaddress is set, validate it
+	if strings.TrimSpace(s.NetAddress) != "" {
+		if err := validateNetAddress(s.NetAddress); err != nil {
+			return fmt.Errorf("failed to validate net address: %w", err)
+		}
+	}
+
 	m.mu.Lock()
 	m.settings = s
 	m.setRateLimit(s.IngressLimit, s.EgressLimit)